Symantec Identifies Android Malware on Google Play Using Remote Payload

Symantec found two malicious apps on Google Play that may have infected up to 100,000 users before it was removed by Google.

The malware posed as two apps, "Super Mario Bros." and "GTA3 Moscow City," and used a remote payload technique to avoid detection, Irfan Asrar, a security researcher from Symantec, wrote on the Symantec Connect blog July 10. Both apps appeared on Google Play on June 24, and racked up between 50,000 to 100,000 downloads in less than two weeks.

"What is most interesting about this Trojan is the fact that the threat managed to stay on Google Play for such a long time, clocking up some serious download figures before being discovered," Asrar wrote.

Both apps employed remote payloads, where the malicious code is broken into separate modules and delivered independently, Asrar wrote. This technique may be partly how they managed to get past Google's "Bouncer," a screening technology that scans all apps on Google Play to detect and block malicious apps.

The apps, as posted on Google Play, contained only the component that Asrar identified as Android.Dropdialer. Once installed, the apps downloaded the next component, a malicious activator file, via Dropbox. The package, Activator.apk, is set up to send SMS messages to a premium-rate number based in Eastern Europe, Asrar said.

Notably, once the app had sent out premium SMS messages and racked up high charges on the user's phone bill, it would prompt the user to uninstall Activator.

Since the malicious activity was performed by Activator, which was never on Google Play, Bouncer wouldn't have known what the apps would wind up doing.

Mobile malware is a growing problem, as criminals realize mobile devices are a goldmine of valuable information, Stefan Tanase, senior security researcher at Kaspersky Lab said recently. There were 1160 mobile malware samples between 2004 and 2010, compared to 13,870 samples already discovered in 2012, Tanase said. Many malicious apps use popular titles to trick users into thinking they are versions of official games, or a free version of paid app, he said.

However, malicious Android apps that send SMS messages are generally a bigger threat outside the United States, where it's easier to set up premium SMS services, according to Denis Maslennikov, a senior malware analyst at Kaspersky Lab. They are increasingly common in Eastern Europe, Russia, and other countries.

Fahmida Y. Rashid is a Senior Contributing Writer for SecurityWeek. She has experience writing and reviewing security, core Internet infrastructure, open source, networking, and storage. Before setting out her journalism shingle, she spent nine years as a help-desk technician, software and Web application developer, network administrator, and technology consultant.